A clause-by-clause guide to NIS2 access control obligations — Article 21(2)(i) and (j), CIR 2024/2690 Annex sections 10–12, and the evidence auditors expect.
A practical, vendor-neutral guide to meeting the NIS2 access-control and identity-lifecycle obligations, mapped clause-by-clause to the legal text.
This hub is the entry point. It explains how the pieces fit together, who should read what, and links to each topic page. Every recommendation in the linked pages is traced back to a specific provision of the NIS2 Directive (EU) 2022/2555 and, where applicable, the Commission Implementing Regulation (EU) 2024/2690 ("the Implementing Regulation" / CIR).
Status: Working reference, version 1.0 · Last reviewed against EUR-Lex sources June 2026. Not legal advice. NIS2 is a directive: the binding rules in your jurisdiction are your member state's national transposition law, which may add or tighten requirements. Use this as an engineering and governance reference, then confirm specifics with your legal/compliance function. See the disclaimer.
The two legal layers you are mapping to
| Layer | Instrument | What it gives you | Applies to |
|---|---|---|---|
| Directive | NIS2 — Directive (EU) 2022/2555 | The obligations: governance (Art. 20) and the ten risk-management measures (Art. 21(2)) — outcome-based, technology-neutral | All essential & important entities (via national law) |
| Implementing Regulation | CIR (EU) 2024/2690 | The technical detail: a 13-section Annex with ~150 concrete requirements that specify Art. 21(2) | Directly binding on named digital-sector entities; best-practice baseline for everyone else |
The Directive tells you what to achieve; the Implementing Regulation tells you how good "good" looks. Even if the CIR is not legally binding on your entity type, it is the clearest expression of regulator expectations for Art. 21(2), so this guide uses it as the control baseline throughout.
How access control & lifecycle sit inside NIS2
Access control and identity lifecycle are concentrated in Article 21(2)(i) (human resources security, access control policies and asset management) and Article 21(2)(j) (multi-factor or continuous authentication, secured communications). In the Implementing Regulation these become four Annex sections:
| CIR Annex section | Title | Maps to Art. 21(2) | Covered in |
|---|---|---|---|
| 10 | Human resources security | (i) | Identity lifecycle |
| 11 | Access control | (i) and (j) | Access control · Auth & MFA · Privileged access |
| 12 | Asset management | (i) | Identity lifecycle (return/deletion of assets) |
| 13 | Environmental & physical security | all-hazards (esp. (c), (e), (i)) | Out of scope here — physical access only referenced |
Governance (Article 20) wraps all of it: the management body must approve the measures, oversee them, can be held liable, and must complete training.
Start here, by role
| You are… | Read, in this order | Why |
|---|---|---|
| Leadership / management body | 01 — Context & governance → the TL;DR boxes on each page | Your Art. 20 accountability, liability, and what "approving the measures" actually means |
| GRC / compliance | 01 → 06 — Mapping & audit-readiness → topic pages as needed | The clause-by-clause matrix, evidence artifacts, and recertification cadences you'll be audited on |
| Security / IT engineers | 02 — Access control → 03 — Lifecycle → 04 — Auth & MFA → 05 — Privileged access | Concrete controls, platform notes, and the configurations auditors look for |
Each page carries an audience tag (👔 Leadership · 📋 GRC · 🔧 Engineering) on every major section so you can skim to what's yours.
Page directory
- NIS2 context & governance — What NIS2 is, essential vs. important entities, scope, Article 20 governance and liability, the Article 21 measures, how CIR 2024/2690 fits, enforcement and penalties, transposition status.
- Access control — The access control policy (CIR 11.1) and management of access rights (CIR 11.2): least privilege, need-to-know, RBAC/ABAC, segregation of duties, network & remote access, zero-trust alignment.
- Identity lifecycle (JML) — Joiner-Mover-Leaver, provisioning/deprovisioning, access reviews and recertification, plus the HR-security clauses (CIR 10.1–10.4) and return/deletion of assets (CIR 12.5).
- Authentication & MFA — Identification (CIR 11.5), authentication (CIR 11.6) and multi-factor/continuous authentication (CIR 11.7); phishing-resistant MFA, secured communications under Art. 21(2)(j).
- Privileged access — Privileged and system-administration accounts (CIR 11.3) and administration systems (CIR 11.4): just-in-time access, vaulting, session monitoring, privileged access workstations, break-glass.
- Mapping & audit-readiness — The master control → Article → CIR-clause → evidence → owner matrix, recertification cadence table, an evidence checklist, ISO/IEC 27001 cross-reference, and how to prepare for a competent-authority audit.
The 30-second summary
- NIS2 makes access control and identity lifecycle a board-level obligation, not just an IT control. The management body approves and is accountable (Art. 20).
- The mandatory access-control measures live in Art. 21(2)(i) and (j); the CIR 2024/2690 Annex sections 10–12 turn them into concrete, auditable requirements.
- The recurring expectations across every clause: least privilege, unique identity, strong (ideally phishing-resistant) MFA, tight control of privileged accounts, timely deprovisioning, and regular review — all documented and evidenced.
- "Documented and evidenced" is doing a lot of work. Most NIS2 access-control findings are not "you lack a control" but "you cannot demonstrate the control operates." Page 06 is about closing that gap.
Scope & disclaimer
This guide covers logical access control and identity lifecycle for human and non-human (service/machine) identities. It does not cover the full NIS2 measure set (incident handling, business continuity, supply-chain security, cryptography, etc.) except where they intersect access control. Physical access control (CIR section 13) is referenced but not detailed.
The content is general guidance based on the published EU legal texts. It is not legal advice and does not create a compliance guarantee. Your binding obligations come from your member state's transposition of NIS2 and, if you are in a named digital-infrastructure sector, directly from CIR 2024/2690. Validate scope, applicability, and any sector-specific rules with qualified counsel.
Primary sources
- Directive (EU) 2022/2555 (NIS2) — EUR-Lex
- Article 20 — Governance
- Article 21 — Cybersecurity risk-management measures
- Commission Implementing Regulation (EU) 2024/2690 — EUR-Lex
- ENISA — Technical implementation guidance on CIR 2024/2690
FAQ
Does NIS2 apply to my company? NIS2 applies to medium and large organisations operating in the sectors listed in its annexes — energy, transport, banking, financial market infrastructure, health, digital infrastructure, cloud, managed services, online platforms, and more. Micro and small enterprises are generally out of scope unless they are in certain critical digital-infrastructure roles. Your binding obligations come from your member state's national transposition law, which may adjust the thresholds, so confirm scope with qualified counsel.
When does NIS2 become enforceable? NIS2 entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. National enforcement dates are rolling and staggered by country: Germany brought its national law into force on 17 March 2026; the Netherlands expects national law around Q2 2026; Czech Republic from 1 November 2025; Austria from 1 October 2026 (Austria only). There is no single EU-wide "go live" date — check the national transposition statute for each country where you operate.
Does NIS2 require multi-factor authentication? Yes. MFA is one of the few controls named in the directive text itself (Art. 21(2)(j)), and CIR 2024/2690 Annex section 11.7 specifies it further. Recital 23 of the CIR calls out remote access, access to sensitive information, and privileged and system-administration accounts as the minimum scope. Phishing-resistant MFA (FIDO2/passkeys, certificate-based) is the recommended approach for high-value access.
What access controls does NIS2 Article 21 require? Article 21(2)(i) requires human resources security, access control policies, and asset management. In practice, via CIR 2024/2690 Annex sections 10–12, this means: a written, management-approved access control policy; least-privilege and need-to-know access grants; role-based access control; segregation of duties; a controlled joiner-mover-leaver process; periodic access reviews; and timely deprovisioning and asset recovery on exit.
Is the Implementing Regulation (CIR 2024/2690) mandatory? CIR 2024/2690 is directly binding on named digital-sector entities: DNS providers, TLD registries, cloud computing providers, data centre providers, CDN providers, managed service providers, MSSPs, online marketplaces, search engines, social networking platforms, and trust service providers. For all other essential and important entities it is not directly binding, but it is the most authoritative published expression of what Art. 21(2) means in practice. Auditors and regulators will reason from it, so treating the CIR Annex as your control baseline is the defensible choice.
What are the NIS2 penalties for access-control failures? Under Article 34, essential entities face administrative fines of at least €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities face at least €7 million or 1.4% of global turnover, whichever is higher. Beyond fines, competent authorities can issue binding remediation orders and, in serious cases for essential entities, temporarily suspend certifications or prohibit management-level individuals from exercising managerial functions.
How KINT helps: KINT automates the joiner, mover, and leaver access lifecycle across your SaaS apps and produces signed, timestamped access-review evidence mapped to SOC 2 CC6 — the kind of evidence NIS2 Article 21 expects you to be able to show. It is early-stage and self-serve, and runs without an identity provider. See how KINT handles the lifecycle or book a 15-minute walkthrough.
Gowtham Palanisamy
Founder of Kingsley Integrators, building KINT in public. Writes about identity lifecycle, SaaS access, and audit evidence.